CVE-2026-28425 Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the...

CVE-2026-28424 Statamic's missing authorization allows access to email addresses

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 a...

CVE-2026-28424 Statamic's missing authorization allows access to email addresses

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 a...

CVE-2026-28424

Statamic CMS contains a medium-severity exposure where email addresses were returned by the user fieldtype data endpoint for control panel users lacking the view users permission. Affected versions are prior to 5.73.11 and 6.4.0. The issue has been fixed in 5.73.11 and 6.4.0. The CVSS vector indi...

CVE-2026-28424 Statamic's missing authorization allows access to email addresses

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 a...

CVE-2026-28423

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode which is not the default, the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary...

CVE-2026-28423

CVE-2026-28423 affects Statamic CMS. Prior to versions 5.73.11 and 6.4.0, using Glide image manipulation in insecure mode (not default) allows an unauthenticated attacker to leverage the image proxy to cause the server to send HTTP requests to arbitrary URLs, either directly or via the watermark ...

CVE-2026-28423 Statamic Vulnerable to Server-Side Request Forgery via Glide

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode which is not the default, the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary...

CVE-2026-28423 Statamic Vulnerable to Server-Side Request Forgery via Glide

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode which is not the default, the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary...

CVE-2026-28423 Statamic Vulnerable to Server-Side Request Forgery via Glide

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode which is not the default, the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary...

EUVD-2026-9076

Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass...

Incorrect User Management

Overview Affected versions of this package are vulnerable to Incorrect User Management via the session function. An attacker can gain unauthorized access to sensitive operations and escalate privileges by bypassing the intended verification step during authenticated sessions. Remediation Upgrade...

GHSA-RW9X-PXQX-Q789 Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass

Impact Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation. Patches This has...

CVE-2026-27939 Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass

Statmatic is a Laravel and Git powered content management system CMS. Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensiti...

CVE-2026-27939

Statmatic is a Laravel and Git powered content management system CMS. Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensiti...

CVE-2026-27939 Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass

Statmatic is a Laravel and Git powered content management system CMS. Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensiti...

CVE-2026-27939 Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass

Statmatic is a Laravel and Git powered content management system CMS. Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensiti...

CVE-2026-27939

CVE-2026-27939 affects Statamic CMS (Laravel/Git powered). From version 6.0.0 up to, but not including, 6.4.0, Authenticated Control Panel users may obtain elevated privileges due to a session verification bypass. This could enable access to sensitive operations depending on user permissions. The...

cms 授权问题漏洞

Cms is a software package developed by Statamic. Versions of CMS from 6.0.0 to 6.4.0 had an authorization issue vulnerability. This vulnerability stemmed from improper permission verification, which could lead to unauthorized privilege escalation...

Statamic 跨站脚本漏洞

Statamic is a powerful flat-file CMS built using Laravel by Statamic Inc. It allows all content, templates, assets, and settings to be stored in files rather than in a database. Versions of Statamic 5.73.11 and earlier, as well as 6.4.0 and earlier, had a cross-site scripting vulnerability. This...